Lucene search

K
redosRedosROS-20221108-01
HistoryNov 08, 2022 - 12:00 a.m.

ROS-20221108-01

2022-11-0800:00:00
redos.red-soft.ru
35
curl
command line
vulnerability
hsts inspection
unencrypted http
boundary error
http responses
unix
remote attacker
proxy server

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

0.009 Low

EPSS

Percentile

83.0%

A vulnerability in the cURL command line utility is related to an error in parsing URLs with
IDN characters that are replaced by ASCII analogs during IDN conversion. Exploitation of the vulnerability
could allow an attacker acting remotely to bypass curl’s HSTS inspection and force it to
Use the unencrypted HTTP protocol

The cURL command line utility vulnerability involves a boundary error in the processing of non-200 HTTP responses to the
proxies for the following schemes: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, telnet. Exploitation
vulnerability could allow an attacker acting remotely to cause a bug by forcing an application to
connect to resources that are not allowed by the configured proxy server

OSVersionArchitecturePackageVersionFilename
redos7.3x86_64curl<= 7.81.0-5UNKNOWN

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

0.009 Low

EPSS

Percentile

83.0%